Specifying a set of forbidden passwords

ABSTRACT

Various embodiments are described for providing password approval on a device. The password approval includes getting the user password, generating at least one symbolically equivalent password and then comparing the at least one symbolically equivalent password with at least one specified forbidden password. The user password is disapproved if one of the symbolically equivalent passwords corresponds to the at least one forbidden password.

REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.11/342,540, filed on Jan. 31, 2006 and issued as U.S. Pat. No.7,904,729, which claims the benefit of U.S. Provisional Application No.60/726,170, filed on Oct. 14, 2005; the contents of application Ser. No.11/342,540 and of Application No. 60/726,170 are hereby incorporated byreference.

FIELD

The embodiments described herein relate to password entry for a mobilecommunication device.

BACKGROUND

Passwords are commonly used to allow a user to securely accessinformation or interact with a given device. However, users often selecta common word or phrase for the password to make it easier to rememberthe password. Unfortunately, certain words may be more common in certainlocations; for example, one of the most common passwords in Washington,D.C. is “redskins” (i.e. the local football team). IT administratorsprefer that users do not select a common word or phrase as part of thepassword since this jeopardizes the security of the information ordevice associated with the password.

Although some IT administrators try to define certain passwords asforbidden passwords that are not allowed for use, some users may chooseto substitute symbols for certain characters in the forbidden passwordso that the user password corresponds to the forbidden password. Forexample, the symbol “1” can be used instead of the character “I”, or thesymbol “5” can be used instead of the character “s”. The symbol “1” andthe character ‘i’ are visually related to one another as are the symbol“5” and the character “s”. Accordingly, a user may attempt to subvertexisting forbidden password checks by using similar looking or similarsounding passwords like “redskins” or “red5kins” in the case ofpreventing “redskins” for use as a password. This is not desirable sincea non-authorized third party can easily determine variants for commonpasswords thereby uncovering the user password in these cases.

BRIEF DESCRIPTION OF THE DRAWINGS

For a better understanding of the embodiments described herein and toshow more clearly how it may be carried into effect, reference will nowbe made, by way of example only, to the accompanying drawings which showat least one exemplary embodiment in which:

FIG. 1 is a block diagram of an exemplary embodiment of a mobilecommunication device;

FIG. 2 is a block diagram of a communication subsystem component of themobile communication device of FIG. 1;

FIG. 3 is a block diagram of an exemplary embodiment of a node of awireless network that the mobile communications device of FIG. 1 maycommunicate with;

FIG. 4 is a block diagram of an exemplary embodiment of a host systemthat the mobile communications device of FIG. 1 may communicate with;and,

FIG. 5 is a flowchart diagram of an exemplary embodiment of a passwordapproval method.

DETAILED DESCRIPTION

It will be appreciated that for simplicity and clarity of illustration,where considered appropriate, reference numerals may be repeated amongthe figures to indicate corresponding or analogous elements or steps. Inaddition, numerous specific details are set forth in order to provide athorough understanding of the embodiments described herein. However, itwill be understood by those of ordinary skill in the art that theembodiments described herein may be practiced without these specificdetails. In other instances, well-known methods, procedures andcomponents have not been described in detail so as not to obscure theembodiments described herein. Furthermore, this description is not to beconsidered as limiting the scope of the embodiments described herein,but rather as merely describing the implementation of the variousembodiments described herein.

The embodiments described herein generally relate to passwordverification. To facilitate an understanding of the embodiments providedherein, the embodiments will be described in terms of password approvalon a mobile wireless communication device, hereafter referred to as amobile device, that can send and receive wireless messages. Examples ofapplicable communication devices include pagers, cellular phones,cellular smart-phones, wireless organizers, personal digital assistants,computers, laptops, handheld wireless communication devices, wirelesslyenabled notebook computers and the like, each of which requires a userto enter a password during use.

The mobile device is a two-way communication device with advanced datacommunication capabilities including the capability to communicate withother mobile devices or computer systems through a network oftransceiver stations. The mobile device may also have the capability toallow voice communication. Depending on the functionality provided bythe mobile device, it may be referred to as a data messaging device, atwo-way pager, a cellular telephone with data messaging capabilities, awireless Internet appliance, or a data communication device (with orwithout telephony capabilities). To aid the reader in understanding thestructure of the mobile device and how it communicates with otherdevices and host systems, reference will now be made to FIGS. 1 through4.

Referring first to FIG. 1, shown therein is a block diagram of a mobiledevice 100 in one exemplary implementation. The mobile device 100comprises a number of components, the controlling component being a mainprocessor 102 which controls the overall operation of mobile device 100.Communication functions, including data and voice communications, areperformed through a communication subsystem 104. The communicationsubsystem 104 receives messages from and sends messages to a wirelessnetwork 200. In this exemplary implementation of the mobile device 100,the communication subsystem 104 is configured in accordance with theGlobal System for Mobile Communication (GSM) and General Packet RadioServices (GPRS) standards. The GSM/GPRS wireless network is usedworldwide and it is expected that these standards will be supersededeventually by Enhanced Data GSM Environment (EDGE) and Universal MobileTelecommunications Service (UMTS). New standards are still beingdefined, but it is believed that they will have similarities to thenetwork behaviour described herein, and it will also be understood bypersons skilled in the art that the embodiments described herein areintended to use any other suitable standards that are developed in thefuture. The wireless link connecting the communication subsystem 104with the wireless network 200 represents one or more different RadioFrequency (RF) channels, operating according to defined protocolsspecified for GSM/GPRS communications. With newer network protocols,these channels are capable of supporting both circuit switched voicecommunications and packet switched data communications.

Although the wireless network 200 associated with mobile device 100 is aGSM/GPRS wireless network in one exemplary implementation, otherwireless networks may also be associated with the mobile device 100 invariant implementations. The different types of wireless networks thatmay be employed include, for example, data-centric wireless networks,voice-centric wireless networks, and dual-mode networks that can supportboth voice and data communications over the same physical base stations.Combined dual-mode networks include, but are not limited to, CodeDivision Multiple Access (CDMA) or CDMA2000 networks, GSM/GPRS networks(as mentioned above), and future third-generation (3G) networks likeEDGE and UMTS. Some other examples of data-centric networks include WiFi802.11, Mobitex™ and DataTAC™ network communication systems. Examples ofother voice-centric data networks include Personal Communication Systems(PCS) networks like GSM and Time Division Multiple Access (TDMA)systems.

The main processor 102 also interacts with additional subsystems such asa Random Access Memory (RAM) 106, a flash memory 108, a display 110, anauxiliary input/output (I/O) subsystem 112, a data port 114, a keyboard116, a speaker 118, a microphone 120, short-range communications 122 andother device subsystems 124.

Some of the subsystems of the mobile device 100 performcommunication-related functions, whereas other subsystems may provide“resident” or on-device functions. By way of example, the display 110and the keyboard 116 may be used for both communication-relatedfunctions, such as entering a text message for transmission over thenetwork 200, and device-resident functions such as a calculator or tasklist. Operating system software used by the main processor 102 istypically stored in a persistent store such as the flash memory 108,which may alternatively be a read-only memory (ROM) or similar storageelement (not shown). Those skilled in the art will appreciate that theoperating system, specific device applications, or parts thereof, may betemporarily loaded into a volatile store such as the RAM 106.

The mobile device 100 may send and receive communication signals overthe wireless network 200 after required network registration oractivation procedures have been completed. Network access is associatedwith a subscriber or user of the mobile device 100. To identify asubscriber, the mobile device 100 requires a SIM/RUIM card 126 (i.e.Subscriber Identity Module or a Removable User Identity Module) to beinserted into a SIM/RUIM interface 128 in order to communicate with anetwork. The SIM card or RUIM 126 is one type of a conventional “smartcard” that can be used to identify a subscriber of the mobile device 100and to personalize the mobile device 100, among other things. Withoutthe SIM card 126, the mobile device 100 is not fully operational forcommunication with the wireless network 200. By inserting the SIMcard/RUIM 126 into the SIM/RUIM interface 128, a subscriber can accessall subscribed services. Services may include: web browsing andmessaging such as e-mail, voice mail, Short Message Service (SMS), andMultimedia Messaging Services (MMS). More advanced services may include:point of sale, field service and sales force automation. The SIMcard/RUIM 126 includes a processor and memory for storing information.Once the SIM card/RUIM 126 is inserted into the SIM/RUIM interface 128,it is coupled to the main processor 102. In order to identify thesubscriber, the SIM card/RUIM 126 contains some user parameters such asan International Mobile Subscriber Identity (IMSI). An advantage ofusing the SIM card/RUIM 126 is that a subscriber is not necessarilybound by any single physical mobile device. The SIM card/RUIM 126 maystore additional subscriber information for a mobile device as well,including datebook (or calendar) information and recent callinformation. Alternatively, user identification information can also beprogrammed into the flash memory 108.

The mobile device 100 is a battery-powered device and includes a batteryinterface 132 for receiving one or more rechargeable batteries 130. Insome embodiments, the battery 130 can be a smart battery with anembedded microprocessor. The battery interface 132 is coupled to aregulator (not shown), which assists the battery 130 in providing powerV+ to the mobile device 100. Although current technology makes use of abattery, future technologies such as micro fuel cells may provide thepower to the mobile device 100.

The main processor 102, in addition to its operating system functions,enables execution of software applications 134 on the mobile device 100.The subset of software applications 134 that control basic deviceoperations, including data and voice communication applications, willnormally be installed on the mobile device 100 during its manufacture.

The software applications 134 include a message application 136. Themessage application 136 can be any suitable software program that allowsa user of the mobile device 100 to send and receive electronic messages.Various alternatives exist for the message application 136 as is wellknown to those skilled in the art. Messages that have been sent orreceived by the user are typically stored in the flash memory 108 of themobile device 100 or some other suitable storage element in the mobiledevice 100. In an alternative embodiment, some of the sent and receivedmessages may be stored remotely from the device 100 such as in a datastore of an associated host system that the mobile device 100communicates with.

Another program that is executed by the mobile device 100 providesapproval for user passwords. The password approval module 138 can beused to authorize the password that has been selected by the user of themobile device 100 based on a list of specified forbidden passwords andother information. Password approval can be undertaken periodically, orquasi-periodically, since a new list of specified forbidden passwordscan be generated periodically or quasi-periodically. The list ofspecified forbidden passwords can include passwords that are commonlyused; this may depend on the geographical area in which the useroperates the mobile device since some users select their password basedon local things such as sports teams, and the like. Accordingly, thelist of specified passwords can be modified depending on where themobile device 100 is being used.

The password approval module 138 executes a password approval method todetermine whether the user password specified by the user of the mobiledevice 100 is acceptable. The user password can be a password that iscurrently being used, or a new password that the user wishes to use. Thepassword approval module 138 accesses a list of specified forbiddenpasswords and a list of symbolic equivalents to make this determinationfrom a local data store such as the flash memory 108. In otherimplementations, the password approval module 138 may be able to accessthis information from a remote data store. The list of specifiedforbidden passwords and the list of symbolic equivalents are discussedin more detail below. The list of specified forbidden passwords and thelist of symbolic equivalents can be remotely updated by an administratorwho maintains a server that the mobile device 100 communicates with. Insome embodiments, each time the list of specified forbidden passwords orthe list of symbolic equivalents is updated, the password approvalmodule 138 can be executed to approve the current user passwordassociated with the mobile device 100. The password approval method canbe repeated several times if several different user passwords arecurrently being used on the mobile device 100. The operation of thepassword approval module 138 is discussed in further detail below. Thepassword approval module 138 can be created using any suitable softwareprogramming language as is well known to those skilled in the art.

The mobile device 100 further includes a device state module 140, anaddress book 142, a Personal Information Manager (PIM) 144, and othermodules 146. The device state module 140 provides persistence, i.e. thedevice state module 140 ensures that important device data is stored inpersistent memory, such as the flash memory 108, so that the data is notlost when the mobile device 100 is turned off or loses power. Theaddress book 142 provides information for a list of contacts for theuser. For a given contact in the address book, the information caninclude the name, phone number, work address and email address of thecontact, among other information. The other modules 146 may include aconfiguration module (not shown) as well as other modules that can beused in conjunction with the SIM/RUIM interface 128.

The PIM 144 provides functionality for organizing and managing dataitems of interest to a subscriber, such as, but not limited to, e-mail,calendar events, voice mails, appointments, and task items. A PIMapplication has the ability to send and receive data items via thewireless network 200. PIM data items may be seamlessly integrated,synchronized, and updated via the wireless network 200 with the mobiledevice subscriber's corresponding data items stored and/or associatedwith a host computer system. This functionality creates a mirrored hostcomputer on the mobile device 100 with respect to such items. This canbe particularly advantageous when the host computer system is the mobiledevice subscriber's office computer system.

Additional applications may also be loaded onto the mobile device 100through at least one of the wireless network 200, the auxiliary I/Osubsystem 112, the data port 114, the short-range communicationssubsystem 122, or any other suitable device subsystem 124. Thisflexibility in application installation increases the functionality ofthe mobile device 100 and may provide enhanced on-device functions,communication-related functions, or both. For example, securecommunication applications may enable electronic commerce functions andother such financial transactions to be performed using the mobiledevice 100.

The data port 114 enables a subscriber to set preferences through anexternal device or software application and extends the capabilities ofthe mobile device 100 by providing for information or software downloadsto the mobile device 100 other than through a wireless communicationnetwork. The alternate download path may, for example, be used to loadan encryption key onto the mobile device 100 through a direct and thusreliable and trusted connection to provide secure device communication.

The data port 114 can be any suitable port that enables datacommunication between the mobile device 100 and another computingdevice. The data port can be a serial or a parallel port. In someinstances, the data port 114 can be a USB port that includes data linesfor data transfer and a supply line that can provide a charging currentto charge the battery 130 of the mobile device 100.

The short-range communications subsystem 122 provides for communicationbetween the mobile device 100 and different systems or devices, withoutthe use of the wireless network 200. For example, the subsystem 122 mayinclude an infrared device and associated circuits and components forshort-range communication. Examples of short-range communicationstandards include standards developed by the Infrared Data Association(IrDA), Bluetooth, and the 802.11 family of standards developed by IEEE.

In use, a received signal such as a text message, an e-mail message, orweb page download will be processed by the communication subsystem 104and input to the main processor 102. The main processor 102 will thenprocess the received signal for output to the display 110 oralternatively to the auxiliary I/O subsystem 112. A subscriber may alsocompose data items, such as e-mail messages, for example, using thekeyboard 116 in conjunction with the display 110 and possibly theauxiliary I/O subsystem 112. The auxiliary subsystem 112 may includedevices such as: a touch screen, mouse, track ball, infrared fingerprintdetector, or a roller wheel with dynamic button pressing capability. Thekeyboard 116 is preferably an alphanumeric keyboard and/ortelephone-type keypad. However, other types of keyboards may also beused. A composed item may be transmitted over the wireless network 200through the communication subsystem 104.

For voice communications, the overall operation of the mobile device 100is substantially similar, except that the received signals are output tothe speaker 118, and signals for transmission are generated by themicrophone 120. Alternative voice or audio I/O subsystems, such as avoice message recording subsystem, can also be implemented on the mobiledevice 100. Although voice or audio signal output is accomplishedprimarily through the speaker 118, the display 110 can also be used toprovide additional information such as the identity of a calling party,duration of a voice call, or other voice call related information.

Referring now to FIG. 2, a block diagram of the communication subsystemcomponent 104 of FIG. 1 is shown. The communication subsystem 104comprises a receiver 150 and a transmitter 152, as well as associatedcomponents such as one or more embedded or internal antenna elements154, 156, Local Oscillators (LOs) 158, and a processing module such as aDigital Signal Processor (DSP) 160. As will be apparent to those skilledin the field of communications, the particular design of thecommunication subsystem 104 is dependent upon the communication networkwith which the mobile device 100 is intended to operate. Thus, it shouldbe understood that the design illustrated in FIG. 2 serves only as oneexample.

Signals received by the antenna 154 through the wireless network 200 areinput to the receiver 150, which can perform such common receiverfunctions as signal amplification, frequency down conversion, filtering,channel selection, and analog-to-digital (ND) conversion. A/D conversionof a received signal allows more complex communication functions such asdemodulation and decoding to be performed in the DSP 160. In a similarmanner, signals to be transmitted are processed, including modulationand encoding, by the DSP 160. These DSP-processed signals are input tothe transmitter 152 for digital-to-analog (D/A) conversion, frequency upconversion, filtering, amplification and transmission over the wirelessnetwork 200 via the antenna 156. The DSP 160 not only processescommunication signals, but also provides for receiver and transmittercontrol. For example, the gains applied to communication signals in thereceiver 150 and transmitter 152 can be adaptively controlled throughautomatic gain control algorithms implemented in the DSP 160.

The wireless link between the mobile device 100 and the wireless network200 can contain one or more different channels, typically different RFchannels, and associated protocols used between the mobile device 100and the wireless network 200. An RF channel is a limited resource thatmust be conserved, typically due to limits in overall bandwidth andlimited battery power of the mobile device 100. Accordingly, when themobile device 100 is fully operational, the transmitter 152 is typicallykeyed or turned on only when it is transmitting to the wireless network200 and is otherwise turned off to conserve resources. Similarly, thereceiver 150 is periodically turned off to conserve power until it isneeded to receive signals or information (if at all) during designatedtime periods.

Referring now to FIG. 3, a block diagram of an exemplary implementationof a node of the wireless network 200 is shown as 202. In practice, thewireless network 200 comprises one or more nodes 202. The mobile device100 communicates with the node 202. In the exemplary implementation ofFIG. 3, the node 202 is configured in accordance with General PacketRadio Service (GPRS) and Global Systems for Mobile (GSM) technologies.The node 202 includes a base station controller (BSC) 204 with anassociated tower station 206, a Packet Control Unit (PCU) 208 added forGPRS support in GSM, a Mobile Switching Center (MSC) 210, a HomeLocation Register (HLR) 212, a Visitor Location Registry (VLR) 214, aServing GPRS Support Node (SGSN) 216, a Gateway GPRS Support Node (GGSN)218, and a Dynamic Host Configuration Protocol (DHCP) 220. This list ofcomponents is not meant to be an exhaustive list of the components ofevery node 202 within a GSM/GPRS network, but rather a list ofcomponents that are commonly used in communications through the wirelessnetwork 200.

In a GSM network, the MSC 210 is coupled to the BSC 204 and to alandline network, such as a Public Switched Telephone Network (PSTN) 222to satisfy circuit switching requirements. The connection through PCU208, SGSN 216 and GGSN 218 to the public or private network (Internet)224 (also referred to herein generally as a shared networkinfrastructure) represents the data path for GPRS capable mobiledevices. In a GSM network extended with GPRS capabilities, the BSC 204also contains a Packet Control Unit (PCU) 208 that connects to the SGSN216 to control segmentation, radio channel allocation and to satisfypacket switched requirements. To track mobile device location andavailability for both circuit switched and packet switched management,the HLR 212 is shared between the MSC 210 and the SGSN 216. Access tothe VLR 214 is controlled by the MSC 210.

The station 206 is a fixed transceiver station. The station 206 and BSC204 together form the fixed transceiver equipment. The fixed transceiverequipment provides wireless network coverage for a particular coveragearea commonly referred to as a “cell”. The fixed transceiver equipmenttransmits communication signals to and receives communication signalsfrom mobile devices within its cell via the station 206. The fixedtransceiver equipment normally performs such functions as modulation andpossibly encoding and/or encryption of signals to be transmitted to themobile device 100 in accordance with particular, usually predetermined,communication protocols and parameters, under control of its controller.The fixed transceiver equipment similarly demodulates and possiblydecodes and decrypts, if necessary, any communication signals receivedfrom the mobile device 100 within its cell. The communication protocolsand parameters may vary between different nodes. For example, one nodemay employ a different modulation scheme and operate at differentfrequencies than other nodes.

For all mobile devices 100 registered with a specific network, permanentconfiguration data such as a user profile can be stored in the HLR 212.The HLR 212 also contains location information for each registeredmobile device and can be queried to determine the current location of amobile device. The MSC 210 is responsible for a group of location areasand stores the data of the mobile devices currently in its area ofresponsibility in the VLR 214. Further, the VLR 214 also containsinformation on mobile devices that are visiting other networks. Theinformation in the VLR 214 includes part of the permanent mobile devicedata transmitted from the HLR 212 to the VLR 214 for faster access. Bymoving additional information from a remote HLR 212 node to the VLR 214,the amount of traffic between these nodes can be reduced so that voiceand data services can be provided with faster response times and at thesame time require less use of computing resources.

The SGSN 216 and GGSN 218 are elements added for GPRS support; namelypacket switched data support, within GSM. The SGSN 216 and MSC 210 havesimilar responsibilities within the wireless network 200 by keepingtrack of the location of each mobile device 100. The SGSN 216 alsoperforms security functions and access control for data traffic on thewireless network 200. The GGSN 218 provides internetworking connectionswith external packet switched networks and connects to one or moreSGSN's 216 via an Internet Protocol (IP) backbone network operatedwithin the network 200. During normal operations, a given mobile device100 must perform a “GPRS Attach” to acquire an IP address and to accessdata services. This requirement is not present in circuit switched voicechannels as Integrated Services Digital Network (ISDN) addresses areused for routing incoming and outgoing calls. Currently, all GPRScapable networks use private, dynamically assigned IP addresses, thusrequiring the DHCP server 220 to be connected to the GGSN 218. There aremany mechanisms for dynamic IP assignment, including using a combinationof a Remote Authentication Dial-In User Service (RADIUS) server and theDHCP server. Once the GPRS Attach is complete, a logical connection isestablished from the mobile device 100, through the PCU 208, and theSGSN 216 to an Access Point Node (APN) within the GGSN 218. The APNrepresents a logical end of an IP tunnel that can either access directInternet compatible services or private network connections. The APNalso represents a security mechanism for the wireless network 200,insofar as each mobile device 100 must be assigned to one or more APNsand the mobile devices 100 cannot exchange data without first performinga GPRS Attach to an APN that it has been authorized to use. The APN maybe considered to be similar to an Internet domain name such as“myconnection.wireless.com”.

Once the GPRS Attach is complete, a tunnel is created and all traffic isexchanged within standard IP packets using any protocol that can besupported in IP packets. This includes tunneling methods such as IP overIP as in the case with some IPSecurity (IPsec) connections used withVirtual Private Networks (VPN). These tunnels are also referred to asPacket Data Protocol (PDP) contexts and there are a limited number ofthese available in the wireless network 200. To maximize use of the PDPContexts, the wireless network 200 will run an idle timer for each PDPContext to determine if there is a lack of activity. When the mobiledevice 100 is not using its PDP Context, the PDP Context can bede-allocated and the IP address returned to the IP address pool managedby the DHCP server 220.

Referring now to FIG. 4, shown therein is a block diagram illustratingcomponents of an exemplary configuration of a host system 250. In oneinstance, the host system 250 can be a corporate enterprise system. Thehost system 250 will typically be a corporate office or other local areanetwork (LAN), but may also be a home office computer system or someother private system, for example, in variant implementations. In theexample shown in FIG. 4, the host system 250 is depicted as a LAN of anorganization to which a user of the mobile device 100 belongs.Typically, a plurality of mobile devices can communicate wirelessly withthe host system 250 through one or more nodes 202.

The host system 250 comprises a number of network components connectedto each other by the LAN connections 260. For instance, a user's desktopcomputer 262 a with an accompanying cradle 264 for the user's mobiledevice 100 is situated on a LAN connection. The cradle 264 for themobile device 100 can be coupled to the computer 262 a by a serial or aUniversal Serial Bus (USB) connection, for example. Other user computers262 b-262 n can also be situated on the LAN 260, and each may or may notbe equipped with an accompanying cradle 264 that is suitable for amobile device. The cradle 264 facilitates the loading of information(e.g. PIM data, private symmetric encryption keys to facilitate securecommunications between the mobile device 100 and the host system 250,etc.) from the user computer 262 a to the mobile device 100, and may beparticularly useful for bulk information updates often performed ininitializing the mobile device 100 for use. The information downloadedto the mobile device 100 may include certificates used in the exchangeof messages.

It will be understood by persons skilled in the art that the usercomputers 262 a-262 n will typically also be connected to otherperipheral devices, such as printers, etc. which are not explicitlyshown in FIG. 4. Furthermore, only a subset of network components of thehost system 250 are shown in FIG. 4 for ease of exposition, and it willbe understood by persons skilled in the art that the host system 250will comprise additional components that are not explicitly shown inFIG. 4 for this exemplary configuration. More generally, the host system250 may represent a smaller part of a larger network (not shown) of theorganization, and may comprise different components and/or be arrangedin different topologies than that shown in the exemplary embodiment ofFIG. 4.

In this exemplary embodiment, the mobile device 100 communicates withthe host system 250 through node 202 of the wireless network 200 and ashared network infrastructure 224 such as a service provider network orthe public Internet. Access to the host system 250 may be providedthrough one or more routers (not shown), and computing devices of thehost system 250 may operate from behind a firewall or proxy server 266.The proxy server 266 provides a secure node and a wireless internetgateway for the host system 250. The proxy server 266 intelligentlyroutes data to the correct destination server.

In some implementations, the host system 250 can include a wireless VPNrouter (not shown) to facilitate data exchange between the host system250 and the mobile device 100. The wireless VPN router allows a VPNconnection to be established directly through a specific wirelessnetwork to the mobile device 100. The wireless VPN router can be usedwith the Internet Protocol (IP) Version 6 (IPV6) and IP-based wirelessnetworks. This protocol can provide enough IP addresses so that eachmobile device has a dedicated IP address, making it possible to pushinformation to a mobile device at any time. An advantage of using awireless VPN router is that it can be an off-the-shelf VPN component,and does not require a separate wireless gateway and separate wirelessinfrastructure. A VPN connection can preferably be a TransmissionControl Protocol (TCP)/IP or User Datagram Protocol (UDP)/IP connectionfor delivering the messages directly to the mobile device 100 in thisalternative implementation.

Messages intended for a user of the mobile device 100 are initiallyreceived by a message server 268 of the host system 250. Such messagesmay originate from any number of sources. For instance, a message mayhave been sent by a sender from the computer 262 b within the hostsystem 250, from a different mobile device (not shown) connected to thewireless network 200 or to a different wireless network, or from adifferent computing device or other device capable of sending messages,via the shared network infrastructure 224, possibly through anapplication service provider (ASP) or Internet service provider (ISP),for example.

The message server 268 typically acts as the primary interface for theexchange of messages, particularly e-mail messages, within theorganization and over the shared network infrastructure 224. Each userin the organization that has been set up to send and receive messages istypically associated with a user account managed by the message server268. Some exemplary implementations of the message server 268 include aMicrosoft Exchange™ server, a Lotus Domino™ server, a Novell Groupwise™server, or another suitable mail server installed in a corporateenvironment. In some implementations, the host system 250 may comprisemultiple message servers 268. The message server 268 may also be adaptedto provide additional functions beyond message management, including themanagement of data associated with calendars and task lists, forexample.

When messages are received by the message server 268, they are typicallystored in a data store associated with the message server 268. In someembodiments, the data store may be a separate hardware unit (not shown)that the message server 268 communicates with. Messages can besubsequently retrieved and delivered to users by accessing the messageserver 268. For instance, an e-mail client application operating on auser's computer 262 a may request the e-mail messages associated withthat user's account stored on the data store associated with the messageserver 268. These messages are then retrieved from the data store andstored locally on the computer 262 a. The data store associated with themessage server 268 can store copies of each message that is locallystored on the mobile device 100. Alternatively, the data storeassociated with the message server 268 can store all of the messages forthe user of the mobile device 100 and only a smaller number of messagescan be stored on the mobile device 100 to conserve memory. For instance,the most recent messages (in the past two to three months for example)can be stored on the mobile device 100.

When operating the mobile device 100, the user may wish to have e-mailmessages retrieved for delivery to the handheld. An e-mail clientapplication operating on the mobile device 100 may also request messagesassociated with the user's account from the message server 268. Thee-mail client may be configured (either by the user or by anadministrator, possibly in accordance with an organization's informationtechnology (IT) policy) to make this request at the direction of theuser, at some pre-defined time interval, or upon the occurrence of somepre-defined event. In some implementations, the mobile device 100 isassigned its own e-mail address, and messages addressed specifically tothe mobile device 100 are automatically redirected to the mobile device100 as they are received by the message server 268.

To facilitate the wireless communication of messages and message-relateddata between the mobile device 100 and components of the host system250, a number of wireless communication support components 270 may beprovided. In some implementations, the wireless communication supportcomponents 270 can include a message management server 272, a mobiledata server 274, a contact server 276, a password policy module 278, andthe like.

The message management server 272 can be used to specifically providesupport for the management of messages, such as e-mail messages, thatare to be handled by mobile devices. Generally, while messages are stillstored on the message server 268, the message management server 272 canbe used to control when, if, and how messages are sent to the mobiledevice 100. The message management server 272 also facilitates thehandling of messages composed on the mobile device 100, which are sentto the message server 268 for subsequent delivery.

For example, the message management server 272 may monitor the user's“mailbox” (e.g. the message store associated with the user's account onthe message server 268) for new e-mail messages, and applyuser-definable filters to new messages to determine if and how themessages are relayed to the user's mobile device 100. The messagemanagement server 272 may also compress and encrypt new messages (e.g.using an encryption technique such as Data Encryption Standard (DES) orTriple DES) and push them to the mobile device 100 via the sharednetwork infrastructure 224 and the wireless network 200. The messagemanagement server 272 may also receive messages composed on the mobiledevice 100 (e.g. encrypted using Triple DES), decrypt and decompress thecomposed messages, re-format the composed messages if desired so thatthey will appear to have originated from the user's computer 262 a, andre-route the composed messages to the message server 268 for delivery.

Certain properties or restrictions associated with messages that are tobe sent from and/or received by the mobile device 100 can be defined(e.g. by an administrator in accordance with IT policy) and enforced bythe message management server 272. These may include whether the mobiledevice 100 may receive encrypted and/or signed messages, minimumencryption key sizes, whether outgoing messages must be encrypted and/orsigned, and whether copies of all secure messages sent from the mobiledevice 100 are to be sent to a pre-defined copy address, for example.

The message management server 272 may also be adapted to provide othercontrol functions, such as only pushing certain message information orpre-defined portions (e.g. “blocks”) of a message stored on the messageserver 268 to the mobile device 100. For example, in one instance, whena message is initially retrieved by the mobile device 100 from themessage server 268, the message management server 272 may push only thefirst part of a message to the mobile device 100, with the part being ofa pre-defined size (e.g. 2 KB). The user can then request more of themessage, to be delivered in similar-sized blocks by the messagemanagement server 272 to the mobile device 100, possibly up to a maximumpre-defined message size. Accordingly, the message management server 272facilitates better control over the type of data and the amount of datathat is communicated to the mobile device 100, and can help to minimizepotential waste of bandwidth or other resources.

The mobile data server 274 encompasses any other server that storesinformation that is relevant to the corporation. The mobile data server274 may include, but is not limited to, databases, online data documentrepositories, customer relationship management (CRM) systems, orenterprise resource planning (ERP) applications.

The contact server 276 can provide information for a list of contactsfor the user in a similar fashion to the address book 142 on the mobiledevice 100. Accordingly, for a given contact, the contact server 276 caninclude the name, phone number, work address and email address of thecontact, among other information. The contact server 276 can alsoprovide a global address list that contains the contact information forall of the contacts associated with the host system 250.

It will be understood by persons skilled in the art that the messagemanagement server 272, the mobile data server 274, the contact server276 and the password policy module 278 need not be implemented onseparate physical servers within the host system 250. For example, someor all of the functions associated with the message management server272 may be integrated with the message server 268, or some other serverin the host system 250. Furthermore, the host system 250 may comprisemultiple message management servers 272, particularly in variantimplementations where a large number of mobile devices need to besupported. Furthermore, in some embodiments, the functionality of thepassword policy module 278 may be provided by an IT policy module or anIT policy server (both not shown).

For maximum security, it is desirable for an IT administrator to be ableto prevent certain passwords (i.e. forbidden passwords) from beingchosen, as well as all corresponding “symbolically equivalent”passwords. A symbolically equivalent password that corresponds to aforbidden password has a majority of characters that the same as thosein a forbidden password and at least one character or symbol that issymbolically equivalent to one or more letters (i.e. charactersequences) of the given password. Symbolic equivalence includescharacters that are visually or phonetically similar (i.e. looks orsounds the same) to other characters or character sequences. The ITadministrator can specify this information in two lists; one list is aset of specified forbidden passwords that the user is not allowed touse, and the other list provides symbolic equivalents for a list ofcharacter sequences. In some embodiments, one or both of the list ofsymbolic equivalents and the list of specified forbidden passwords canbe static. In some implementations, these lists can be realized locallyor remotely using look-up tables in which the symbolic equivalent can beused as an index into the look-up table.

In some embodiments, the IT administrator can use the password policymodule 278 to update the password policy by updating the list ofspecified forbidden passwords and the list of symbolic equivalents. Insome embodiments, the IT administrator can also remotely update thepassword policy of the mobile devices by communicating with the passwordapproval module 138 over the network 200 and updating a local copy ofthe list of specified forbidden passwords and the list of symbolicequivalents. The local copies of these lists can be stored on the flashmemory 108 of the mobile device 100. Accordingly, the password policycan be maintained centrally and then communicated to various mobiledevices 100 using a suitable wireless communication infrastructure suchas that described herein. In some embodiments, the wirelesscommunication infrastructure includes a transport stack that contains aset of communication protocols that enables the host system 250 tocommunicate with the mobile device 100. A subset of applicationsprovided by the transport stack can be used to pass IT policy commandsto the operating system of the mobile device 100 and can be used toprovide an updated password policy. In some embodiments, the passwordpolicy update can also be done over a wired connection, such as via thecradle 264, for example.

At any time, the IT administrator can initiate a check of the passwordsthat are currently being used by the users of the mobile devices 100associated with the host system 250. In some embodiments, this can bedone each time the IT administrator distributes at least one of a newlist of specified forbidden passwords and a list of symbolicequivalents. In some embodiments, the password approval method can beexecuted when the user is selecting a password for the first time orwhen the user changes the current password that is being used.

A password that corresponds to a specified forbidden password andcontains zero or more symbolic equivalents, as defined by the symboliclist, is defined as being forbidden and is not approved by the passwordapproval module 138. For example, if the specified forbidden password is“password”, then the following exemplary proposed passwords are notallowed: “password”, “password123”, “pAssWord123”, and “xpAsS1wOrDy”. Inthe first case, the proposed password directly matches the specifiedforbidden password. In the second case, the proposed password can beconsidered to contain two portions; the first portion is “password” andthe second portion is “123”. The first portion directly matches thespecified forbidden password. The third case is the same as the secondcase except that some of the characters have been capitalized.Accordingly, it is clear that password approval can be done on acase-insensitive basis. In the fourth case, the proposed passwordcontains the specified forbidden password albeit not in a contiguousmanner since the character “1” has been inserted between “pAsS” and“wOrD”.

The list of symbolic equivalents can include symbols, or numbers thatlook or sound similar to a given character sequence or symbols that arecommonly substituted for the given character sequence. A charactersequence can include one or more characters as shown in Table 1. Forexample, for visual symbolic equivalents, the symbol “@” is similar tothe character sequence “a” or “A”, the number “5” is similar to thecharacter sequence “s”, the number “0” is similar to the charactersequence “o”, and the number “3” is similar to the character sequence“e”. Further, for phonetic symbolic equivalents, some examples includereplacing the character sequence “c” with “k”, replacing the charactersequence “k” with “c”, replacing the character sequence “f” with “ph”,or replacing the character sequence “ph” with “f”. An exemplary list ofsymbolic equivalents is provided in Table 1. It should be noted thatTable 1 is not meant to be an exhaustive or comprehensive list. Table 1is provided by way of example only, and those skilled in the art willrecognize that additional symbolic equivalents can be defined in asimilar manner.

A given entry in the list of symbolic equivalents includes a charactersequence having one or more characters and a corresponding list ofsymbolic equivalents. For example, Table 1 specifies that “|)” is asymbolic equivalent for the character sequence “D” and that “0r” is asymbolic equivalent for the character sequences “er” or “or”. Based onthe symbolic equivalents in Table 1, passwords that are similar to“password” include but are not limited to: “p@ssword”, “p@55w0rd”,“ppa55wordd” and “|o4ZZVV0|)\|)”. It should be noted that spaces areused in some of the symbolic equivalents in Table 1 to make it easier tosee the characters that make up a symbolic equivalent. In use, thesymbolic equivalents may or may not include spaces. If the symbolicequivalents are stored without spaces, then if a user enters a passwordthat includes spaces, the spaces can then be removed for purposes ofsymbolic comparison with specified forbidden passwords. Alternatively,if there are spaces in the symbolic equivalents then these spaces can beremoved, as well as spaces in the user-entered password so that theuser-entered password can be compared with the symbolic equivalents.

TABLE 1 Exemplary List of Symbolic Equivalents Character SequenceSymbolic Equivalent A @, 4, ^({circumflex over ( )}), /\ B 8, |3 C (, <,|<, s, $, 5 D |) E 3 F p h, |[, |= G 6, 9 H |-|, (-), |{ I 1, !, | K <,|<, |{, ( L 1, !, |, |_(—) M /\/\, r n, |v|, /v\, |\/| N /\/, |\| O 0, () P |0, |o Q “0,” “o,” (note use of comma in symbolic equivalent) R |p,|)\ S 5, Z, $, (, x, > <, < T 7, + U |_|, ( ) V \/ W \/\/, \\′, vv,|/\|, ′//, {grave over ( )}// X ><, xx, cks Y ′/, {grave over ( )}/, \′Z 2, s, $, 5 or 0r Er 0r

Referring now to FIG. 5, shown therein is a flowchart diagram of anexemplary embodiment of a password approval method 300. The passwordapproval method 300 can be executed by the password approval module 138at various times, including when the user enters a password for thefirst time, when the user changes a password, when the IT administratordistributes a new symbolic equivalents list or a new list of specifiedforbidden passwords, or at any time the IT administrator chooses to do arandom check of passwords that are currently being used on the mobiledevices 100.

At step 302, the user password is obtained. The term user password ismeant to include the current password that the user is currently using,or a proposed password that the user wishes to use. At step 304, atleast one symbolically equivalent password is generated. A symbolicallyequivalent password is a symbolic translation of the user password inwhich any symbolic equivalents in the user password are identified andthe corresponding character sequence as defined in the list of symbolicequivalents is obtained. This step can include creating a temporarybuffer to hold the symbolic translation of the user password. Thesymbolic translation can be performed as follows. For each character inthe user password, the character is first added to the symbolicallyequivalent password being generated in the temporary buffer. If thecharacter is defined as a symbolic equivalent (for example see theequivalents defined in Table 1), then the corresponding charactersequence is appended to the symbolic password. Further, if the currentcharacter and one or more subsequent characters in the user password aredefined as a multi-character symbolic equivalent, then the correspondingcharacter sequence is also appended to the symbolic password. Examplesof multi-character symbolic equivalents from Table 1 include “xx”,“cks”, and the like. This can be done recursively. For instance, thefirst character can be processed, then the first and second characterstogether, then the first, second and third characters and so on and soforth. Once the combinations including the first character areprocessed, then the combinations beginning with the second character canbe processed, and so on and so forth.

For example, for the user password “ss|”, one of the symbolicallyequivalent passwords that is created can be “sczscz|il”. Further, forthe user password “|3”, one of the generated symbolically equivalentpasswords can be “|ilb3e”. In this case, character “|” is copied intothe temporary buffer, then character sequences for which the character“|” is symbolically equivalent are copied into the temporary buffer,then sequences for which the character sequence “|3” is symbolicallyequivalent are copied into the temporary buffer. Then the character “3”gets copied into the temporary buffer and, then character sequences forwhich the character “3” is symbolically equivalent are copied into thetemporary buffer to create the symbolically equivalent password.

There can be some instances in which the symbolic equivalent maps to twoor more character sequences. In this case, in some embodiments, all ofthe character sequences to which the symbolic equivalent is mapped canbe appended to the symbolic password. Alternatively, in someembodiments, additional symbolically equivalent passwords can begenerated to cover these different possibilities. For instance, if asymbolic equivalent is found in the user password that maps to threedifferent character sequences, then two additional symbolicallyequivalent passwords can be generated. This processing is then continuedfor each of the additional symbolically equivalent passwords which mayresult in the generation of additional symbolically equivalent passwordsif any of the remaining the characters are symbolic equivalents that mapto two or more character sequences.

At step 306, the one or more symbolically equivalent passwords arecompared to each specified forbidden password provided in the list ofspecified forbidden passwords. For a given specified forbidden password,in general, if the characters in the given specified forbidden passwordappear in order, although not sequentially or contiguously, in thesymbolically equivalent password (or in some embodiments, in at leastone of the symbolically equivalent passwords) then the user password isnot approved. Otherwise, the user password is approved. This comparisoncan be done on a case-insensitive basis. In some embodiments, the userpassword is not approved if the majority of the characters in the givenspecified forbidden password appear in order, although not sequentiallyor contiguously, with a minority of the characters reversed in order.

If the user password is not approved, then the method 300 moves to step308. The user is notified that the user password has not been approvedand is asked to select another password. The method 300 then moves backto step 302. Step 308 may also include providing the user with anexplanation of why the user password is not approved so that the usercan make a more intelligent selection for the user password.

If the user password is approved, then the method 300 moves to step 310.An indication of password approval can be provided to the user of themobile device 100. At this point, the user is then free to continueusing the mobile device 100.

As an example, assume that the user password is “p@s5word”. Further,assume that the character sequence “a” corresponds to the symbolicequivalent “@” and the character sequence “s” corresponds to thesymbolic equivalent “5” as illustrated in Table 1. After step 304, oneof the generated symbolic passwords is “p@as5sword”. If the list ofspecified forbidden passwords contains “password”, then in step 306 theuser password is rejected, since the symbolically equivalent passwordcontains the characters “p”, “a”, “s”, “s”, “w”, “o”, “r”, and “d” inorder (although not contiguously or sequentially).

In some embodiments, for more stringent control of password use, step306 of the method 300 does not have to require that all of thecharacters of a specified forbidden password appear sequentially in thesymbolically equivalent password. For instance, using the previousexample, the proposed password can be “@ps5word”. Assuming the samecharacter sequence correspondence with the symbolic equivalents, one ofthe generated symbolically equivalent passwords is “@aps5sword”. Such apassword can also not be approved since all of the characters in thespecified forbidden password appear in the symbolically equivalentpassword although not in order (the “a” and the “p” are reversed). Inthese embodiments, an order parameter can be specified which dictatesthe proportion of the characters in the symbolically equivalent passwordthat are in the correct order compared to a specified forbiddenpassword. In the example just given, the proportion is 75% (i.e. 6 outof 8 characters of the user's proposed password are in the correct ordercompared to the specified forbidden password).

Further, in some embodiments, for more stringent control of passworduse, step 306 of the method 300 does not have to require that all of thecharacters of a specified forbidden password appear in the symbolicallyequivalent password. For instance, using the previous example, theproposed password can be “p@s5wor”. Assuming the same character sequencecorrespondence with the symbolic equivalents, one of the generatedsymbolically equivalent passwords is “p@as5swor”. Such a password canalso not be approved since most of the characters in the specifiedforbidden password appear in the symbolically equivalent password. Therecan be a minimum limit on the number of characters of the specifiedforbidden password that must appear in the symbolic password, which canbe specified by a length parameter. For instance, using the specifiedforbidden password “password”, the IT administrator may specify that atleast six of these characters must appear in the symbolically equivalentpassword for the user password to be rejected. This length parameter forthe number of matching characters can be specified for a given passwordin the list of specified forbidden passwords, or for all of thepasswords in the list of specified forbidden passwords. In someembodiments, the length parameter can be specified for each password inthe list of specified forbidden passwords. In some embodiments, thelength parameter can also be specified as a percentage. In the examplejust given, the length parameter is 87.5% (i.e. 7 out of 8 characters ofthe specified forbidden password are in the user's proposed password).

In some embodiments, for even more stringent control of password use,step 306 of the method 300 does not have to require that all of thecharacters of a specified forbidden password appear in the symbolicallyequivalent password or that these characters appear sequentially. Forinstance, using the previous example, the proposed password can be“@ps5wor”. Assuming the same character sequence substitutions, one ofthe generated symbolically equivalent passwords is “@aps5swor”. Such apassword can also not be approved since most of the characters in thespecified forbidden password appear in the symbolically equivalentpassword even though some of the characters are not in the correctorder. In these embodiments, both the order and length passwords can bespecified.

Accordingly, the password approval method 300 described herein does notallow a user password that correspond to a specified forbidden passwordthat can be defined by the IT administrator. While the password approvalmethod 300 may seem to be dictionary-like, it also takes intoconsideration additional human behavior (i.e. the use of symbols).

In one aspect, at least one embodiment described herein provides acomputer program product for approving a user password for acommunication device, the computer program product comprising a computerreadable medium embodying program code means executable by a processorof the communication device for implementing a password approval method.The password approval method comprises:

obtaining the user password;

generating at least one symbolically equivalent password;

comparing the at least one symbolically equivalent password with atleast one specified forbidden password; and,

disapproving the user password if the at least one symbolicallyequivalent password corresponds to the at least one forbidden password,otherwise approving the user password.

In some cases, for at least one given character of the user password,the password approval method includes generating the at least onesymbolically equivalent password by appending the at least one givencharacter of the user password to the symbolically equivalent password,determining if the at least one given character of the user password isa symbolic equivalent and if so determining a corresponding charactersequence and appending the corresponding character sequence to the atleast one symbolically equivalent password.

In some cases, the character sequence includes one or more characters.

In some cases, the at least one given character of the user passwordincludes adjacent characters in the user password.

In some cases, the password approval method further includes comparingthe at least one given character of the user password to a list ofsymbolic equivalents to determine if the at least one given character ofthe user password is a symbolic equivalent.

In some cases, the list of symbolic equivalents includes visual symbolicequivalents.

In some cases, the list of symbolic equivalents includes phoneticsymbolic equivalents.

In some cases, in the comparing step of the password approval method,the at least one symbolically equivalent password corresponds to the atleast one forbidden password if the number of characters in the at leastone forbidden password that are included in the at least onesymbolically equivalent password is greater than or equal to a valuespecified by a length parameter.

In some cases, in the comparing step of the password approval method,the at least one symbolically equivalent password corresponds to the atleast one forbidden password if the number of characters in the at leastone forbidden password that are included in the correct order in the atleast one symbolically equivalent password is greater than or equal to avalue specified by an order parameter.

In another aspect, at least one embodiment described herein provides amethod for approving a user password for a communication device. Thepassword approval method comprises:

obtaining the user password;

generating at least one symbolically equivalent password;

comparing the at least one symbolically equivalent password with atleast one specified forbidden password; and,

disapproving the user password if the at least one symbolicallyequivalent password corresponds to the at least one forbidden password,otherwise approving the user password.

In some cases, for at least one given character of the user password,the method includes generating the at least one symbolically equivalentpassword by appending the at least one given character of the userpassword to the symbolically equivalent password, determining if the atleast one given character of the user password is a symbolic equivalentand if so determining a corresponding character sequence and appendingthe corresponding character sequence to the at least one symbolicallyequivalent password.

In some cases, the method further includes comparing the at least onegiven character of the user password to a list of symbolic equivalentsto determine if the at least one given character of the user password isa symbolic equivalent.

In some cases, the list of symbolic equivalents includes at least oneof: visual symbolic equivalents, phonetic symbolic equivalents, andsymbols that are commonly substituted for a given character sequence.

In some cases, in the comparing step, the at least one symbolicallyequivalent password corresponds to the at least one forbidden passwordif at least one of: the number of characters in the at least oneforbidden password that are included in the at least one symbolicallyequivalent password is greater than or equal to a value specified by alength parameter, and the number of characters in the at least oneforbidden password that are included in the at least one symbolicallyequivalent password in the correct order is greater than or equal to anorder parameter.

In another aspect, at least one embodiment described herein provides acommunications device comprising: a main processor that controls theoperation of the communications device; a communication subsystemconnected to the main processor, the communication subsystem sends andreceives data; and, a password approval module executable by the mainprocessor for approving a user password for the communication device by:obtaining the user password; generating at least one symbolicallyequivalent password; comparing the at least one symbolically equivalentpassword with at least one specified forbidden password; and,disapproving the user password if the at least one symbolicallyequivalent password corresponds to the at least one forbidden password,otherwise approving the user password.

In some cases, for at least one given character of the user password,the password approval module generates the at least one symbolicallyequivalent password by appending the at least one given character of theuser password to the symbolically equivalent password, determining ifthe at least one given character of the user password is a symbolicequivalent and if so determining a corresponding character sequence andappending the corresponding character sequence to the at least onesymbolically equivalent password.

In some cases, the password approval module compares the at least onegiven character of the user password to a list of symbolic equivalentsto determine if the at least one given character of the user password isa symbolic equivalent.

In some cases, the list of symbolic equivalents includes at least oneof: visual symbolic equivalents, phonetic symbolic equivalents, andsymbols that are commonly substituted for a given character sequence.

In some cases, the password approval module determines that the at leastone symbolically equivalent password corresponds to the at least oneforbidden password if at least one of: the number of characters in theat least one forbidden password that are included in the at least onesymbolically equivalent password is greater than or equal to a valuespecified by a length parameter, and the number of characters in the atleast one forbidden password that are included in the at least onesymbolically equivalent password in the correct order is greater than orequal to an order parameter.

It should be understood that various modifications can be made to theembodiments described and illustrated herein, without departing from theembodiments, the general scope of which is defined in the appendedclaims. It should also be understood that while the embodiments weredescribed for a mobile device, the embodiments are generally applicableto any communication or computing device that requires the use ofpassword approval. For instance, the embodiments may be modified forimplementation on a computer in which the communication subsystem mayinstead be a network connection or a modem.

The invention claimed is:
 1. A device comprising: a processor, and atleast one physical memory component; wherein the processor is configuredto: receive a password to approve, the password to approve comprising acharacter sequence; execute a password approval method, wherein theprocessor is configured to: for each selected character of at least onecharacter in the character sequence: add the selected character from thecharacter sequence to each of one or more symbolically equivalentpasswords; and for each character sequence equivalent associated withthe selected character found in the list of symbolic equivalents, addthe character sequence equivalent to at least one of the one or moresymbolically equivalent passwords, wherein the character sequenceequivalent is associated with the selected character if a correspondingsymbolic equivalent in the list consists of the selected character aloneor the selected character plus one or more subsequent characters in thecharacter sequence; compare each of the one or more symbolicallyequivalent passwords with a specified forbidden password; and disapprovethe password to approve if any one of the one or more symbolicallyequivalent passwords corresponds to the specified forbidden password. 2.The device of claim 1, wherein the device comprises a mobile device. 3.The device of claim 1, wherein the list of symbolic equivalents isstored in the memory of the device.
 4. The device of claim 1, whereinthe list of symbolic equivalents comprises visual symbolic equivalents.5. The device of claim 1, wherein the list of symbolic equivalentscomprises phonetic symbolic equivalents.
 6. The device of claim 1,wherein a given symbolically equivalent password corresponds to thespecified forbidden password if all of the characters in the specifiedforbidden password are in the given symbolically equivalent password. 7.The device of claim 1, wherein a given symbolically equivalent passwordcorresponds to the specified forbidden password if a number ofcharacters in the specified forbidden password that are in the givensymbolically equivalent password is greater than or equal to a valuespecified by a length parameter.
 8. The device of claim 1, wherein agiven symbolically equivalent password corresponds to the specifiedforbidden password if all of the characters in the specified forbiddenpassword are, in order, in the given symbolically equivalent password.9. The device of claim 1, wherein a given symbolically equivalentpassword corresponds to the specified forbidden password if a number ofcharacters in the specified forbidden password that are, in order, inthe given symbolically equivalent password is greater than or equal to avalue specified by an order parameter.
 10. The device of claim 1,wherein when executing the password approval method, the processor isfurther configured to: for each additional forbidden password in a listof forbidden passwords that is different from the specified forbiddenpassword, compare each of the one or more symbolically equivalentpasswords with the additional forbidden password; disapprove thepassword to approve if any one of the one or more symbolicallyequivalent passwords corresponds to any one of the forbidden passwordsin the list of forbidden passwords; and approve the password to approveif none of the one or more symbolically equivalent passwords correspondto at least one of the forbidden passwords in the list of forbiddenpasswords.
 11. The device of claim 10, wherein the list of forbiddenpasswords is stored in the memory of the device.
 12. The device of claim10, wherein the processor is further configured to receive an updatedlist of forbidden passwords at the device.
 13. The device of claim 12,wherein the processor is configured to execute the password approvalmethod in response to the updated list of forbidden passwords beingreceived at the device.
 14. The device of claim 1, wherein the processoris further configured to receive an updated list of symbolic equivalentsat the device.
 15. The device of claim 14, wherein the processor isconfigured to execute the password approval method in response to theupdated list of symbolic equivalents being received at the device. 16.The device of claim 1, wherein the processor is configured to executethe password approval method in response to the password to approvebeing received at the device for a first time.
 17. The device of claim1, wherein the processor is configured to execute the password approvalmethod in response to a user request to change a password being receivedat the device.
 18. The device of claim 1, wherein the processor isconfigured to execute the password approval method in response to arequest, initiated by an IT administrator, for a random check of thepassword to approve.
 19. A password approval method, comprising: aprocessor receiving a password to approve, the password to approvecomprising a character sequence; for each selected character of at leastone character in the character sequence: the processor adding theselected character from the character sequence to each of one or moresymbolically equivalent passwords; and for each character sequenceequivalent associated with the selected character found in the list ofsymbolic equivalents, the processor adding the character sequenceequivalent to at least one of the one or more symbolically equivalentpasswords, wherein the character sequence equivalent is associated withthe selected character if a corresponding symbolic equivalent in thelist consists of the selected character alone or the selected characterplus one or more subsequent characters in the character sequence; theprocessor comparing each of the one or more symbolically equivalentpasswords with a specified forbidden password; and the processordisapproving the password to approve if any one of the one or moresymbolically equivalent passwords corresponds to the specified forbiddenpassword.
 20. A non-transitory computer-readable medium comprisinginstructions executable by a processor, wherein the processor isconfigured to execute a password approval method, and wherein thepassword approval method comprises: receiving a password to approve, thepassword to approve comprising a character sequence; for each selectedcharacter of at least one character in the character sequence: addingthe selected character from the character sequence to each of one ormore symbolically equivalent passwords; and for each character sequenceequivalent associated with the selected character found in the list ofsymbolic equivalents, adding the character sequence equivalent to atleast one of the one or more symbolically equivalent passwords, whereinthe character sequence equivalent is associated with the selectedcharacter if a corresponding symbolic equivalent in the list consists ofthe selected character alone or the selected character plus one or moresubsequent characters in the character sequence; comparing each of theone or more symbolically equivalent passwords with a specified forbiddenpassword; and disapproving the password to approve if any one of the oneor more symbolically equivalent passwords corresponds to the specifiedforbidden password.